Acerca de

Privacy Policy

Privacy Policy

Written 12th May 2018

My name is Dr.Joel Sheridan and I am a Clinical Psychologist working in private practice . In this capacity, I gather and store certain confidential information about my clients. The processing and storage of client information is necessary for the intended purpose of carrying out psychological assessments, planning treatment interventions and managing the business side of running a practice. The legal basis for processing client data therefore falls under “Legitimate Interests”. 

The data I obtain is partly demographic information which is provided on the Client Registration Form (address, date of birth etc.) and partly session notes that are written up after each meeting with each client. I operate a paperless office and so I shred client details sheets and formulations once they have been scanned. Data is simply retained electronically thereafter.

Data Retention Periods 
Electronic client notes are retained for a period of 7 years before they are permanently deleted. The period of 7 years is set in accord with professional insurance policies such as Balens Professional Insurance policies that recommends that records be kept for at least 7 years. At the end of the 7 year period, the information will be reviewed and deleted unless there is some particular reason for keeping it. If the unlikely event I were to decide against deleting it at that point, I would record my reasons for doing so and would contact the individual to let them know why. 

After the 7 year period, and after patient files are permanently deleted, the only data retained will be the basics: name of patient, number of sessions, outcome, and discharge date. 

Receiving a request for the client notes 
I have not yet been in the position where I have been asked to provide client notes by a solicitor or by the Police. However, it is possible that this could occur. After receiving such a request I would endeavour to first let the client know and attempt to gain their consent before sharing.

Requesting access to data
You are able to request copies of all the data I hold on you via a “subject access request”. The timescale for responding to such a request is 30 calendar days, except for exceptional circumstances. 

Who I may share data with 
If you have been referred by a psychiatrist or other medical professional then details of your treatment may be shared with them, unless you have specified you do not wish this to happen. 

Information about your treatment and information that you share with me is confidential. The only case where confidentiality may be breached is in the event that you gave me cause for concern -particularly if it appeared that you posed a significant risk of harm to yourself or to someone else. This is very rare in my experience . However, patients need to be clear about this from the outset.

Client data protection rights 
Please note that you have data protection rights (GDPR implementation date :25 May 2018). These are outlined thoroughly in the Guide to the General Data Protection Regulation on the website. These relate to the way that information about people is stored and accessed amongst other things.

If you have any concerns about the privacy of your data, or you feel that there has been a breach in the way that I am handling your data, please do not hesitate to speak to me about this. I will do my best to address your concerns. Please be aware that should you feel that your concerns have not been adequately addressed by me you have the right to complain to the ICO (Information Commissioner’s Office). 

How I keep data secure 
I use a highly secure cloud storage provider called I chose this provider due to the overwhelmingly strong security that this provides. In a review of various cloud storage providers the website “Cloudwards” selected as their preferred provider - on the subject of security and privacy policy they awarded 100% “excellent”. Sync.comprovides security features such as “zero knowledge encryption” and “256- Bit AES” which are vital to building strong cloud security. It also offers “two-factor authentication”. Data transmissions are further secured using TLS tunnels to protect against online eavesdropping. Encryption keys are protected using 2048-RSA. Sync’s data centres are SOC -1 certified and make use of RAID architecture to prevent server failures from leading to data loss. 

What and where I store data
Clinical notes - these are saved as PDFs and I ensure that there are no names addresses and dates of birth of these - only the bare essentials - patient initials . I write clinical notes after each session to summarise and help me plan the following session (saved to my computer and backed up on the cloud at

Client registration form (“Client Details”) - a one-page summary which records name address date of birth and insurance details where appropriate etc. (saved to my computer and backed up on the cloud at

Client name telephone number and address - with no reference to them as a patient of mine. (These basic details are saved to my iPhone Contacts which is backed up by iCloud).

Client questionnaire scores - (Scanned copies are saved to my computer and backed up on the cloud at

SMS- I only text clients when there is a significant delay between the scheduled start of their session and their arrival time . Therefore, no personal or sensitive information is ever exchanged this way. 

Emails- I use a system called GandiMail which is linked to my website domain registration company Gandi. Patients contact me via email at the point of referral, usually to arrange a brief telephone consultation or book an appointment. I confirm the reason for referral, and send an appointment confirmation. I occasionally update certain referrers (private psychiatrists) on the progress of their patients in therapy over email . Other than this no confidential information about therapy or information shared with me is ever conveyed over email . The only exception to this would be if ever there was a risk situation that required urgent action. This has not yet been necessary in my private practice. Unless they are deemed useful to retain, emails are regularly deleted. 

Gandi Mail: “We are still assessing Gandi's compliance with the GDPR, but we believe to be compliant with article 32 in regards with security. The data is exclusively stored in the EU, and not further processed for any other purpose than providing the services. Emails are safely stored in our data centers, in rooms we have exclusive access to. Our housing partners are Equinix in France and LuxConnect in Luxembourg.

Dr. Joel Sheridan, Clinical Psychologist